If someone does something altruistic in security most stand up and applaud. But these days, such actions also tend to attract polemicists to the party. Especially of the cantankerous variety. Perhaps it’s no surprise then that Google’s Project Zero, which will gather some of the world’s finest minds in security to uncover dangerous bugs on the web, has attracted some scorn.
The withering comments are coming from a contentious part of the security industry: the zero-day exploit market. Companies in this sphere sell unpatched vulnerabilities to governments, law enforcements and private entities, presumably to help them protect their own, though it’s believed the exploit code is also used to attack as well as defend. They claim they are doing the world a favour by finding the bugs and being responsible in selling them to trusted parties. Criminals are doing the same, so isn’t it better to have more “good guys” hoovering up bugs before crooks do?
Possibly. But there are many who loathe zero-day merchants. As they often won’t tell the vendor about the bugs they find, most people using the affected software remain in danger. And it’s only the merchants and their customers who benefit.
It’s possible Google’s Project Zero could disrupt that market, finding those vulnerabilities before anyone else does. Given the number of bugs that emerge from the cracks every year, though, this seems unlikely at best. That’s why people like Chaouki Bekrar, who heads up exploit seller VUPEN, have claimed Project Zero is “yet another marketing campaign from Google corporation, nothing new under the sun from a cyber security perspective”.
“What Google did not understand is that killing a few zero-days will make Google’s researchers and/or shareholders feel better but it will definitely not kill the market of zero-day exploits,” Bekrar said over email. “Instead it will make it even more lucrative as both the white and black market’s prices for zero-days will increase each time the number of available exploits decreases.” There will be a lot of money going around then: legitimate zero-day merchants have previously said their exploit code has sold for upwards of $500,000 in the past.
Robert Graham from Errata Security, which offers “offensive” security services, noted Google has already been looking for zero-days in every kind of software. “I don’t think anything’s changed other than now they have a really cool name to put on the project,” Graham added.
“The most important aspect of this is how it helps Google… having a close-knit team of researchers learning from each allows each member to produce vastly more than if they were working alone. Looking at other products produces intelligence that can be used to improve Google’s own products.”
If Bekrar and Graham are right, and Project Zero doesn’t negatively affect the zero-day vulnerabilities market and the value of these bugs goes up, criminal dealers are also likely to benefit. That’s perverse.
Not that crooks dealing in zero-days are selling cheap. Just this week, the Russian hacker w0rm who attacked CNET and made off with at least a million users’ encrypted passwords sent your reporter screenshots of what appeared to be his own exploit marketplace, w0rm.in. It included the bug w0rm used in the attack on the popular tech website, affecting the Symfony Framework, tools that help developers build PHP code for websites.
According to w0rm, there are currently around 100 zero-days available for purchase on w0rm.in. The one in Symfony is going for as much as $30,000, whilst screenshots show others affecting some of the world’s biggest websites going for between $500 and $15,000 (those images won’t be shown here in case they are genuine bugs that criminals could use to steal data from those sites, though there is one shot below of the market).
Speaking in Russian, w0rm said the w0rm.in team came from an old school hacking background and have a love for freedom of information. They bring together experts to develop solutions for serious security problems, they added, whilst admitting that breaching a site’s defences was illegal in most countries on the planet.
Outside of recommending CNET start collaborating with w0rm.in to improve security on the site, which would no doubt include a hefty fee, w0rm suggested CNET start up a bounty programme to help prevent future attacks. Neither of those two things are likely to happen and one gets the feeling w0rm is being a tad disingenuous. The hacker won’t be disclosing the vulnerability in Symfony either, even though it would be a boon for internet security. Instead, he will try to make money out of it.
If only Google and its Project Zero team, or anyone for that matter, could bring an end to this kind of illicit activity. It would bring much-needed security to the world’s internet users.
Don't Miss: The Best CES 2017 Gadgets